For Komiko to access a tenant’s G-suite data, the deployment service account must be granted domain-wide delegation privileges to the tenant’s G-suite domain by that domain’s admin. Thus, in Google impersonation model, the service account is owned by the vendor (e.g. Komiko), and access management is owned by the tenant.
Google domain admin uses Google admin console to grant domain-wide delegation privileges to a service account. For more info from Google you can read Using OAuth 2.0 for Server to Server Applications and Using OAuth 2.0 to Access Google APIs.
Here are the steps:
1. Log in to the admin console at https://admin.google.com
2. Click “Security”
3. Click “Advanced settings”
4. Under “Advanced settings / Authentication” click “Manage API client access”
5. Enter the client ID into the “Client Name” field and scopes into the “One or More API Scopes” and click “Authorize”.
The client ID that goes into “Client Name” field is a 21-digit number rather than a web domain as suggested by the example. The client ID for the Komiko app is 118237920369539805520
The scopes required by Komiko are as follows and must be copied as-is into the scopes field (everything between the quote signs, with quote signs themselves excluded): “https://mail.google.com, https://www.googleapis.com/auth/calendar, https://www.googleapis.com/auth/calendar.readonly, https://www.googleapis.com/auth/plus.me, https://www.googleapis.com/auth/userinfo.email, https://www.googleapis.com/auth/userinfo.profile”
6. When the service account is authorized, this fact will be reflected on the list page as follows. The blurred-out region under the “Client Name” field must contain the client ID used when authorizing the service account in the previous step.